Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 866386 (CVE-2021-4217)

Summary: app-arch/unzip: null pointer dereference
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: major CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
See Also: https://bugs.gentoo.org/show_bug.cgi?id=831190
Whiteboard: A2 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 18:57:31 UTC
CVE-2021-4217:
https://bugzilla.redhat.com/show_bug.cgi?id=2044583

A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

Not sure if Ubuntu is the upstream here, or if there's any patch.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-25 02:20:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff42a923fb9b8ce5af167cc3032420d4a666307

commit bff42a923fb9b8ce5af167cc3032420d4a666307
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-25 02:18:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-25 02:19:14 +0000

    app-arch/unzip: add 6.0_p27
    
    Contains patches for CVE-2022-0529, CVE-2022-0530 (bug 831190) and
    for a unicode issue which *might* be CVE-2021-4217 (bug 866386).
    
    Bug: https://bugs.gentoo.org/866386
    Bug: https://bugs.gentoo.org/831190
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/unzip/Manifest             |  1 +
 app-arch/unzip/unzip-6.0_p27.ebuild | 93 +++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-25 02:23:42 UTC
I saw this in Debian's changelog:
"""
unzip (6.0-27) unstable; urgency=medium

  * Apply upstream patch for CVE-2022-0529 and CVE-2022-0530.
  - Fix null pointer dereference on invalid UTF-8 input.
  - Fix wide string conversion in process.c.
    Closes: #1010355.
"""

But I don't think it's related to this bug, I'd misread it (it's all to do with bug 831190).

Nobody (Ubuntu, Debian, RH) have patched this, so no idea if htere's even a fix out there.